General

  • Target

    hjghfggfghfgfhnt.exe

  • Size

    86KB

  • Sample

    240427-1rf29shc98

  • MD5

    e8aab9a49c8f964ccee3d26f5e31cf40

  • SHA1

    bef1609695d579e20f19ddc32f4c05b87e0593be

  • SHA256

    4b99c9ec06743b0551c1f69464d884c9a350dd3efbe4a9e4c2f7f637ee4fd130

  • SHA512

    e165d1ebdfb85635907a84474fc64f3d4f6f9e1953522018de7c1a8876655a3c2e273e526b6f1ec49df337be5971d91870ba47ac574a6ee1fe6241273c3b1dc9

  • SSDEEP

    1536:rt3Jw1XYk6zvWK8m/bgiRBkL+QafT6F4mOduPSVKEl:rt3Jw9G4kbgWk6Qx4mOduPwl

Malware Config

Extracted

Family

xworm

C2

0.tcp.eu.ngrok.io:38479

7.tcp.eu.ngrok.io:38479

europe-stainless.gl.at.ply.gg:38479

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

Targets

    • Target

      hjghfggfghfgfhnt.exe

    • Size

      86KB

    • MD5

      e8aab9a49c8f964ccee3d26f5e31cf40

    • SHA1

      bef1609695d579e20f19ddc32f4c05b87e0593be

    • SHA256

      4b99c9ec06743b0551c1f69464d884c9a350dd3efbe4a9e4c2f7f637ee4fd130

    • SHA512

      e165d1ebdfb85635907a84474fc64f3d4f6f9e1953522018de7c1a8876655a3c2e273e526b6f1ec49df337be5971d91870ba47ac574a6ee1fe6241273c3b1dc9

    • SSDEEP

      1536:rt3Jw1XYk6zvWK8m/bgiRBkL+QafT6F4mOduPSVKEl:rt3Jw9G4kbgWk6Qx4mOduPwl

    • Detect Xworm Payload

    • XenArmor Suite

      XenArmor is as suite of password recovery tools for various application.

    • Xworm

      Xworm is a remote access trojan written in C#.

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Accesses Microsoft Outlook accounts

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Matrix ATT&CK v13

Execution

Scheduled Task/Job

1
T1053

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Unsecured Credentials

5
T1552

Credentials In Files

4
T1552.001

Credentials in Registry

1
T1552.002

Discovery

System Information Discovery

1
T1082

Query Registry

1
T1012

Collection

Data from Local System

5
T1005

Email Collection

1
T1114

Command and Control

Web Service

1
T1102

Tasks